Azure Active Directory 中的动态组成员资格规则Dynamic membership rules for groups in Azure Active Directory

在 Azure Active Directory (Azure AD) 中,可以创建基于属性的复杂规则以启用组的动态成员身份。In Azure Active Directory (Azure AD), you can create complex attribute-based rules to enable dynamic memberships for groups. 动态组成员资格可减少添加和删除用户的管理开销。Dynamic group membership reduces the administrative overhead of adding and removing users. 本文详细介绍了用于为用户或设备创建动态成员资格规则的属性和语法。This article details the properties and syntax to create dynamic membership rules for users or devices. 可以为安全组或 Microsoft 365 组中的动态成员身份设置规则。You can set up a rule for dynamic membership on security groups or Microsoft 365 groups.

当用户或设备的任何属性发生更改时,系统会评估目录中的所有动态组规则,以查看该更改是否会触发任何组添加或删除。When any attributes of a user or device change, the system evaluates all dynamic group rules in a directory to see if the change would trigger any group adds or removes. 如果用户或设备满足组的规则,它们将添加为该组的成员。If a user or device satisfies a rule on a group, they are added as a member of that group. 如果用户或设备不再满足该规则,则会将其删除。If they no longer satisfy the rule, they are removed. 无法手动添加或删除动态组的成员。You can't manually add or remove a member of a dynamic group.

  • 可以创建设备或用户的动态组,但无法创建同时包含用户和设备的规则。You can create a dynamic group for devices or for users, but you can't create a rule that contains both users and devices.
  • 无法根据设备所有者的属性创建设备组。You can't create a device group based on the device owners' attributes. 设备成员资格规则只能引用设备属性。Device membership rules can only reference device attributes.


对于每一个作为一个或多个动态组成员的唯一用户,此功能需要 Azure AD Premium P1 许可证。This feature requires an Azure AD Premium P1 license for each unique user that is a member of one or more dynamic groups. 无需将许可证分配给用户使其成为动态组成员,但必须在 Azure AD 组织中具有涵盖所有此类用户所需的最小许可证数。You don't have to assign licenses to users for them to be members of dynamic groups, but you must have the minimum number of licenses in the Azure AD organization to cover all such users. 例如:如果在组织的所有动态组中总共拥有 1,000 个唯一用户,则需要至少具有 1,000 个 Azure AD Premium P1 版的许可证,才能满足许可证要求。For example, if you had a total of 1,000 unique users in all dynamic groups in your organization, you would need at least 1,000 licenses for Azure AD Premium P1 to meet the license requirement. 对于作为动态设备组成员的设备,不需要许可证。No license is required for devices that are members of a dynamic device group.

Azure 门户中的规则生成器Rule builder in the Azure portal

Azure AD 提供了一个规则生成器,用于更快地创建和更新重要规则。Azure AD provides a rule builder to create and update your important rules more quickly. 规则生成器支持最多包含五个表达式的构造。The rule builder supports the construction of up to five expressions. 通过规则生成器可以更轻松地使用几个简单表达式来组成规则,但是,它无法用于重现每个规则。The rule builder makes it easier to form a rule with a few simple expressions, however, it can't be used to reproduce every rule. 如果规则生成器不支持要创建的规则,则可以使用文本框。If the rule builder doesn't support the rule you want to create, you can use the text box.

下面是建议使用文本框构造的高级规则或语法的一些示例:Here are some examples of advanced rules or syntax for which we recommend that you construct using the text box:


规则生成器可能无法显示在文本框中构造的某些规则。The rule builder might not be able to display some rules constructed in the text box. 当规则生成器无法显示规则时,可能会看到一条消息。You might see a message when the rule builder is not able to display the rule. 规则生成器不会以任何方式更改动态组规则的支持语法、验证或处理。The rule builder doesn't change the supported syntax, validation, or processing of dynamic group rules in any way.

有关分步说明,请参阅创建或更新动态组For more step-by-step instructions, see Create or update a dynamic group.


用于单个表达式的规则语法Rule syntax for a single expression

单个表达式是成员资格规则的最简单形式,只包括上述的三个部分。A single expression is the simplest form of a membership rule and only has the three parts mentioned above. 具有单个表达式的规则与此类似:Property Operator Value,其中属性的语法是 的名称。A rule with a single expression looks similar to this: Property Operator Value, where the syntax for the property is the name of

以下是使用单个表达式正确构造的成员资格规则的示例:The following is an example of a properly constructed membership rule with a single expression:

user.department -eq "Sales"

对于单个表达式,括号是可选的。Parentheses are optional for a single expression. 成员资格规则正文的总长度不能超过 2048 个字符。The total length of the body of your membership rule cannot exceed 2048 characters.

构造成员资格规则的主体Constructing the body of a membership rule

使用用户或设备自动填充组的成员资格规则是一个二进制表达式,会生成 true 或 false 结果。A membership rule that automatically populates a group with users or devices is a binary expression that results in a true or false outcome. 一个简单的规则包含三个部分:The three parts of a simple rule are:

  • propertiesProperty
  • 操作员Operator
  • Value

表达式中各部分的顺序对于避免语法错误至关重要。The order of the parts within an expression are important to avoid syntax errors.

支持的属性Supported properties

有三种类型的属性可用于构建成员资格规则。There are three types of properties that can be used to construct a membership rule.

  • BooleanBoolean
  • 字符串String
  • 字符串集合String collection

以下是可用于创建单个表达式的用户属性。The following are the user properties that you can use to create a single expression.

布尔值类型的属性Properties of type boolean

属性Properties 允许的值Allowed values 使用情况Usage
accountEnabledaccountEnabled true falsetrue false user.accountEnabled -eq trueuser.accountEnabled -eq true
dirSyncEnableddirSyncEnabled true falsetrue false user.dirSyncEnabled -eq trueuser.dirSyncEnabled -eq true

字符串类型的属性Properties of type string

属性Properties 允许的值Allowed values 使用情况Usage
citycity 任意字符串值或 nullAny string value or null ( -eq "value")( -eq "value")
countrycountry 任意字符串值或 nullAny string value or null ( -eq "value")( -eq "value")
companyNamecompanyName 任意字符串值或 nullAny string value or null (user.companyName -eq "value")(user.companyName -eq "value")
departmentdepartment 任意字符串值或 nullAny string value or null (user.department -eq "value")(user.department -eq "value")
displayNamedisplayName 任意字符串值Any string value (user.displayName -eq "value")(user.displayName -eq "value")
employeeIdemployeeId 任意字符串值Any string value (user.employeeId -eq "value")(user.employeeId -eq "value")
(user.employeeId -ne null)(user.employeeId -ne null)
facsimileTelephoneNumberfacsimileTelephoneNumber 任意字符串值或 nullAny string value or null (user.facsimileTelephoneNumber -eq "value")(user.facsimileTelephoneNumber -eq "value")
givenNamegivenName 任意字符串值或 nullAny string value or null (user.givenName -eq "value")(user.givenName -eq "value")
jobTitlejobTitle 任意字符串值或 nullAny string value or null (user.jobTitle -eq "value")(user.jobTitle -eq "value")
mailmail 任意字符串值或 null(用户的 SMTP 地址)Any string value or null (SMTP address of the user) (user.mail -eq "value")(user.mail -eq "value")
mailNickNamemailNickName 任意字符串值(用户的邮件别名)Any string value (mail alias of the user) (user.mailNickName -eq "value")(user.mailNickName -eq "value")
mobilemobile 任意字符串值或 nullAny string value or null ( -eq "value")( -eq "value")
objectIdobjectId 用户对象的 GUID。GUID of the user object (user.objectId -eq "11111111-1111-1111-1111-111111111111")(user.objectId -eq "11111111-1111-1111-1111-111111111111")
onPremisesSecurityIdentifieronPremisesSecurityIdentifier 从本地同步至云端的用户的本地安全标识符 (SID)。On-premises security identifier (SID) for users who were synchronized from on-premises to the cloud. (user.onPremisesSecurityIdentifier -eq "S-1-1-11-1111111111-1111111111-1111111111-1111111")(user.onPremisesSecurityIdentifier -eq "S-1-1-11-1111111111-1111111111-1111111111-1111111")
passwordPoliciespasswordPolicies None DisableStrongPassword DisablePasswordExpiration DisablePasswordExpiration, DisableStrongPasswordNone DisableStrongPassword DisablePasswordExpiration DisablePasswordExpiration, DisableStrongPassword (user.passwordPolicies -eq "DisableStrongPassword")(user.passwordPolicies -eq "DisableStrongPassword")
physicalDeliveryOfficeNamephysicalDeliveryOfficeName 任意字符串值或 nullAny string value or null (user.physicalDeliveryOfficeName -eq "value")(user.physicalDeliveryOfficeName -eq "value")
postalCodepostalCode 任意字符串值或 nullAny string value or null (user.postalCode -eq "value")(user.postalCode -eq "value")
preferredLanguagepreferredLanguage ISO 639-1 代码ISO 639-1 code (user.preferredLanguage -eq "en-US")(user.preferredLanguage -eq "en-US")
sipProxyAddresssipProxyAddress 任意字符串值或 nullAny string value or null (user.sipProxyAddress -eq "value")(user.sipProxyAddress -eq "value")
statestate 任意字符串值或 nullAny string value or null (user.state -eq "value")(user.state -eq "value")
streetAddressstreetAddress 任意字符串值或 nullAny string value or null (user.streetAddress -eq "value")(user.streetAddress -eq "value")
surnamesurname 任意字符串值或 nullAny string value or null (user.surname -eq "value")(user.surname -eq "value")
telephoneNumbertelephoneNumber 任意字符串值或 nullAny string value or null (user.telephoneNumber -eq "value")(user.telephoneNumber -eq "value")
usageLocationusageLocation 双字母国家/地区代码Two lettered country/region code (user.usageLocation -eq "US")(user.usageLocation -eq "US")
userPrincipalNameuserPrincipalName 任意字符串值Any string value (user.userPrincipalName -eq "alias@domain")(user.userPrincipalName -eq "alias@domain")
userTypeuserType member guest nullmember guest null (user.userType -eq "Member")(user.userType -eq "Member")

字符串集合类型的属性Properties of type string collection

属性Properties 允许的值Allowed values 使用情况Usage
otherMailsotherMails 任意字符串值Any string value (user.otherMails -contains "alias@domain")(user.otherMails -contains "alias@domain")
proxyAddressesproxyAddresses SMTP: alias@domain smtp: alias@domainSMTP: alias@domain smtp: alias@domain (user.proxyAddresses -contains "SMTP: alias@domain")(user.proxyAddresses -contains "SMTP: alias@domain")

有关用于设备规则的属性,请参阅设备规则For the properties used for device rules, see Rules for devices.

支持的表达式运算符Supported expression operators

下表列出了单个表达式支持的所有运算符及其语法。The following table lists all the supported operators and their syntax for a single expression. 运算符可以带或不带连字符 (-) 前缀。Operators can be used with or without the hyphen (-) prefix.

操作员Operator 语法Syntax
不等于Not Equals -ne-ne
等于Equals -eq-eq
开头不为Not Starts With -notStartsWith-notStartsWith
开头为Starts With -startsWith-startsWith
不包含Not Contains -notContains-notContains
包含Contains -contains-contains
不匹配Not Match -notMatch-notMatch
匹配Match -match-match
InIn -in-in
不位于Not In -notIn-notIn

使用 -in 和 -notIn 运算符Using the -in and -notIn operators

若要将用户属性的值与大量其他值进行比较,可使用 -in 或 -notIn 运算符。If you want to compare the value of a user attribute against a number of different values you can use the -in or -notIn operators. 使用括号符号“[”和“]”开始和结束值列表。Use the bracket symbols "[" and "]" to begin and end the list of values.

在以下示例中,如果 user.department 的值等于列表中的任何值,则表达式的计算结果为 true:In the following example, the expression evaluates to true if the value of user.department equals any of the values in the list:

   user.department -in ["50001","50002","50003","50005","50006","50007","50008","50016","50020","50024","50038","50039","51100"]

使用 -match 运算符Using the -match operator

-match 运算符用于匹配任何正则表达式。The -match operator is used for matching any regular expression. 示例:Examples:

user.displayName -match "Da.*"   

Da、Dav、David 的计算结果为 true,aDa 的计算结果为 false。Da, Dav, David evaluate to true, aDa evaluates to false.

user.displayName -match ".*vid"

David 的计算结果为 true,Da 的计算结果为 false。David evaluates to true, Da evaluates to false.

支持的值Supported values

表达式中使用的值可包含多种类型,包括:The values used in an expression can consist of several types, including:

  • 字符串Strings
  • 布尔值 - true、falseBoolean - true, false
  • 数字Numbers
  • 数组 - 数字数组、字符串数组Arrays - number array, string array

在表达式中指定值时,使用正确的语法来避免错误至关重要。When specifying a value within an expression it is important to use the correct syntax to avoid errors. 部分语法提示包括:Some syntax tips are:

  • 除非值是字符串,否则双引号是可选的。Double quotes are optional unless the value is a string.
  • 字符串和正则表达式运算不区分大小写。String and regex operations are not case sensitive.
  • 当字符串值包含双引号时,两个引号都应使用 ` 字符进行转义,例如,user.department -eq `“Sales`”是值为“Sales”时的正确语法。When a string value contains double quotes, both quotes should be escaped using the ` character, for example, user.department -eq `"Sales`" is the proper syntax when "Sales" is the value.
  • 还可执行 Null 检查,使用 null 作为值,例如 user.department -eq nullYou can also perform Null checks, using null as a value, for example, user.department -eq null.

Null 值的用法Use of Null values

要在规则中指定 null 值,可以使用 null 值。To specify a null value in a rule, you can use the null value.

  • 比较表达式中的 null 值时,请使用 -eq 或 -ne。Use -eq or -ne when comparing the null value in an expression.
  • 仅当希望将其解释为文本字符串值时,才在 null 两边加引号。Use quotes around the word null only if you want it to be interpreted as a literal string value.
  • 不能将 -not 运算符用作 null 的比较运算符。The -not operator can't be used as a comparative operator for null. 如果使用该运算符,将会出现错误,不管使用 null 还是 $null。If you use it, you get an error whether you use null or $null.

引用 null 值的正确方法如下:The correct way to reference the null value is as follows:

   user.mail -ne null

具有多个表达式的规则Rules with multiple expressions

组成员资格规则可包含由 -and、-or 和 -not 逻辑运算符连接的多个单一表达式。A group membership rule can consist of more than one single expression connected by the -and, -or, and -not logical operators. 此外,还可结合使用逻辑运算符。Logical operators can also be used in combination.

具有多个表达式且构造正确的成员资格规则的示例如下:The following are examples of properly constructed membership rules with multiple expressions:

(user.department -eq "Sales") -or (user.department -eq "Marketing")
(user.department -eq "Sales") -and -not (user.jobTitle -contains "SDE")

运算符优先顺序Operator precedence

以下按从高到最的优先级顺序列出了所有运算符。All operators are listed below in order of precedence from highest to lowest. 同一行上的运算符都采用相同的优先级:Operators on same line are of equal precedence:

-eq -ne -startsWith -notStartsWith -contains -notContains -match -notMatch -in -notIn
-any -all

以下是运算符优先级的示例,其中为用户计算了两个表达式:The following is an example of operator precedence where two expressions are being evaluated for the user:

   user.department -eq "Marketing" -and -eq "US"

仅当优先级不满足你的要求时,才需要括号。Parentheses are needed only when precedence does not meet your requirements. 例如,如果希望首先评估部门,请参看下面的内容,了解如何使用括号来确定顺序:For example, if you want department to be evaluated first, the following shows how parentheses can be used to determine order: -eq "US" -and (user.department -eq "Marketing" -or user.department -eq "Sales")

具有复杂表达式的规则Rules with complex expressions

成员资格规则可能包含复杂表达式,其中属性、运算符和值采用更复杂的形式。A membership rule can consist of complex expressions where the properties, operators, and values take on more complex forms. 只要满足以下任何条件,表达式就会被认为是复杂的:Expressions are considered complex when any of the following are true:

  • 属性由一组值组成;具体而言为多值属性The property consists of a collection of values; specifically, multi-valued properties
  • 表达式使用 -any 和 -all 运算符The expressions use the -any and -all operators
  • 表达式的值可为一个或多个表达式The value of the expression can itself be one or more expressions

多值属性Multi-value properties

多值属性是同一类型的对象的集合。Multi-value properties are collections of objects of the same type. 它们可用于使用 -any 和 -all 逻辑运算符创建成员资格规则。They can be used to create membership rules using the -any and -all logical operators.

属性Properties Values 使用情况Usage
assignedPlansassignedPlans 集合中的每个对象均公开以下字符串属性:capabilityStatus、service、servicePlanIdEach object in the collection exposes the following string properties: capabilityStatus, service, servicePlanId user.assignedPlans -any (assignedPlan.servicePlanId -eq "efb87545-963c-4e0d-99df-69c6916d9eb0" -and assignedPlan.capabilityStatus -eq "Enabled")user.assignedPlans -any (assignedPlan.servicePlanId -eq "efb87545-963c-4e0d-99df-69c6916d9eb0" -and assignedPlan.capabilityStatus -eq "Enabled")
proxyAddressesproxyAddresses SMTP: alias@domain smtp: alias@domainSMTP: alias@domain smtp: alias@domain (user.proxyAddresses -any (_ -contains "contoso"))(user.proxyAddresses -any (_ -contains "contoso"))

使用 -any 和 -all 运算符Using the -any and -all operators

可以使用 -any 和 -all 运算符将条件分别应用到集合中的一项或所有项。You can use -any and -all operators to apply a condition to one or all of the items in the collection, respectively.

  • -any(当集合中至少有一项符合条件时满足条件)-any (satisfied when at least one item in the collection matches the condition)
  • -all(当集合中的所有项都符合条件时满足条件)-all (satisfied when all items in the collection match the condition)

示例 1Example 1

assignedPlans 是多值属性,该项列出了分配给用户的所有服务计划。assignedPlans is a multi-value property that lists all service plans assigned to the user. 以下表达式选择具有 Exchange Online(计划 2)服务计划(作为 GUID 值)且其处于“启用”状态的用户:The following expression selects users who have the Exchange Online (Plan 2) service plan (as a GUID value) that is also in Enabled state:

user.assignedPlans -any (assignedPlan.servicePlanId -eq "efb87545-963c-4e0d-99df-69c6916d9eb0" -and assignedPlan.capabilityStatus -eq "Enabled")

可使用此类规则对启用了 Microsoft 365(或其他 Microsoft 联机服务)功能的所有用户进行分组。A rule such as this one can be used to group all users for whom an Microsoft 365 (or other Microsoft Online Service) capability is enabled. 然后,可将一组策略应用于该组。You could then apply with a set of policies to the group.

示例 2Example 2

以下表达式选择加入任何与 Intune 服务(由服务名称“SCO”标识)关联的服务计划的所有用户:The following expression selects all users who have any service plan that is associated with the Intune service (identified by service name "SCO"):

user.assignedPlans -any (assignedPlan.service -eq "SCO" -and assignedPlan.capabilityStatus -eq "Enabled")

使用下划线 (_) 语法Using the underscore (_) syntax

下划线 (_) 语法匹配特定值在其中一个多值字符串集合属性中的出现,以便将用户或设备添加到动态组。The underscore (_) syntax matches occurrences of a specific value in one of the multivalued string collection properties to add users or devices to a dynamic group. 它与 -any 或 -all 运算符一起使用。It is used with the -any or -all operators.

下面是在规则中使用下划线 (_) 基于 user.proxyAddress 添加成员的示例(对于 user.otherMails,它的工作方式相同)。Here's an example of using the underscore (_) in a rule to add members based on user.proxyAddress (it works the same for user.otherMails). 此规则将任何使用包含“contoso”的代理地址的用户添加到该组。This rule adds any user with proxy address that contains "contoso" to the group.

(user.proxyAddresses -any (_ -contains "contoso"))

其他属性和通用规则Other properties and common rules

创建“直接下属”规则Create a "Direct reports" rule

可以创建包含经理的所有直接下属的组。You can create a group containing all direct reports of a manager. 当经理的直接下属将来发生更改时,组的成员资格将自动进行调整。When the manager's direct reports change in the future, the group's membership is adjusted automatically.

直接下属规则使用以下语法进行构造:The direct reports rule is constructed using the following syntax:

Direct Reports for "{objectID_of_manager}"

以下是有效规则的示例,其中“62e19b97-8b3d-4d4a-a106-4ce66896a863”是经理的 objectID:Here's an example of a valid rule where "62e19b97-8b3d-4d4a-a106-4ce66896a863" is the objectID of the manager:

Direct Reports for "62e19b97-8b3d-4d4a-a106-4ce66896a863"

以下提示可帮助你正确使用该规则。The following tips can help you use the rule properly.

  • “经理 ID”是经理的对象 ID。The Manager ID is the object ID of the manager. 可在经理的“配置文件”中找到它。It can be found in the manager's Profile.
  • 要使规则起作用,请确保组织中用户的 Manager 属性已正确设置。For the rule to work, make sure the Manager property is set correctly for users in your organization. 可检查用户的“配置文件”中的当前值。You can check the current value in the user's Profile.
  • 此规则仅支持经理的直接下属。This rule supports only the manager's direct reports. 换言之,无法创建包含经理的直接下属及其下属的组。In other words, you can't create a group with the manager's direct reports and their reports.
  • 此规则不能与任何其他成员资格规则结合使用。This rule can't be combined with any other membership rules.

创建“所有用户”规则Create an "All users" rule

可使用成员身份规则创建包含组织中所有用户的组。You can create a group containing all users within an organization using a membership rule. 以后向组织添加用户或从中删除用户时,将自动调整该组的成员身份。When users are added or removed from the organization in the future, the group's membership is adjusted automatically.

“所有用户”规则是使用 -ne 运算符和 null 值的单一表达式构造的。The "All users" rule is constructed using single expression using the -ne operator and the null value. 此规则将 B2B 来宾用户以及成员用户添加到该组。This rule adds B2B guest users as well as member users to the group.

user.objectId -ne null

如果你希望组排除来宾用户并且只包含组织的成员,则可以使用以下语法:If you want your group to exclude guest users and include only members of your organization, you can use the following syntax:

(user.objectId -ne null) -and (user.userType -eq "Member")

创建“所有设备”规则Create an "All devices" rule

可使用成员身份规则创建包含组织中所有设备的组。You can create a group containing all devices within an organization using a membership rule. 以后向组织添加设备或从中删除设备时,将自动调整该组的成员身份。When devices are added or removed from the organization in the future, the group's membership is adjusted automatically.

“所有设备”规则是使用 -ne 运算符和 null 值的单一表达式构造的:The "All Devices" rule is constructed using single expression using the -ne operator and the null value:

device.objectId -ne null

扩展属性和自定义扩展属性Extension properties and custom extension properties

支持扩展属性和自定义扩展属性作为动态成员身份规则中的字符串属性。Extension attributes and custom extension properties are supported as string properties in dynamic membership rules. 扩展属性从本地 Window Server AD 同步,并采用“ExtensionAttributeX”格式,其中 X 等于 1 - 15。Extension attributes are synced from on-premises Window Server AD and take the format of "ExtensionAttributeX", where X equals 1 - 15. 以下是使用扩展属性作为属性的规则示例:Here's an example of a rule that uses an extension attribute as a property:

(user.extensionAttribute15 -eq "Marketing")

自定义扩展属性与本地 Windows Server AD 或连接的 SaaS 应用程序同步,格式为 user.extension_[GUID]_[Attribute],其中:Custom extension properties are synced from on-premises Windows Server AD or from a connected SaaS application and are of the format of user.extension_[GUID]_[Attribute], where:

  • [GUID] 是 Azure AD 中用于在 Azure AD 中创建属性的应用程序的唯一标识符[GUID] is the unique identifier in Azure AD for the application that created the property in Azure AD
  • [Attribute] 是属性创建时的名称[Attribute] is the name of the property as it was created

下面是使用自定义扩展属性的规则示例:An example of a rule that uses a custom extension property is:

user.extension_c272a57b722d4eb29bfe327874ae79cb_OfficeNumber -eq "123"

通过使用 Graph Explorer 查询用户属性并搜索属性名,可在目录中找到自定义属性名称。The custom property name can be found in the directory by querying a user's property using Graph Explorer and searching for the property name. 此外,现在可以在动态用户组规则生成器中选择“获取自定义扩展属性”链接,以输入唯一的应用程序 ID,并接收创建动态成员身份规则时要使用的自定义扩展属性的完整列表。Also, you can now select Get custom extension properties link in the dynamic user group rule builder to enter a unique app ID and receive the full list of custom extension properties to use when creating a dynamic membership rule. 还可以刷新此列表,以获取该应用的任何新自定义扩展属性。This list can also be refreshed to get any new custom extension properties for that app.

设备规则Rules for devices

还可以创建一个规则来为组中的成员身份选择设备对象。You can also create a rule that selects device objects for membership in a group. 无法将用户和设备都作为组成员。You can't have both users and devices as group members.


不再列出 organizationalUnit 属性,不应使用该属性。The organizationalUnit attribute is no longer listed and should not be used. 此字符串由 Intune 在特定情况下设置,但 Azure AD 无法识别,因此不会根据此属性向组添加任何设备。This string is set by Intune in specific cases but is not recognized by Azure AD, so no devices are added to groups based on this attribute.


systemlabels 是无法使用 Intune 设置的只读属性。systemlabels is a read-only attribute that cannot be set with Intune.

对于 Windows 10,deviceOSVersion 属性的正确格式如下所示:(device.deviceOSVersion -eq "10.0.17763")。For Windows 10, the correct format of the deviceOSVersion attribute is as follows: (device.deviceOSVersion -eq "10.0.17763"). 可以通过 Get-MsolDevice PowerShell cmdlet 验证格式设置。The formatting can be validated with the Get-MsolDevice PowerShell cmdlet.

可以使用以下设备属性。The following device attributes can be used.

设备属性Device attribute Values 示例Example
accountEnabledaccountEnabled true falsetrue false (device.accountEnabled -eq true)(device.accountEnabled -eq true)
displayNamedisplayName 任意字符串值any string value (device.displayName -eq "Rob iPhone")(device.displayName -eq "Rob iPhone")
deviceOSTypedeviceOSType 任意字符串值any string value (device.deviceOSType -eq "iPad") -or (device.deviceOSType -eq "iPhone")(device.deviceOSType -eq "iPad") -or (device.deviceOSType -eq "iPhone")
(device.deviceOSType -contains "AndroidEnterprise")(device.deviceOSType -contains "AndroidEnterprise")
(device.deviceOSType -eq "AndroidForWork")(device.deviceOSType -eq "AndroidForWork")
deviceOSVersiondeviceOSVersion 任意字符串值any string value (device.deviceOSVersion -eq "9.1")(device.deviceOSVersion -eq "9.1")
deviceCategorydeviceCategory 有效的设备类别名称a valid device category name (device.deviceCategory -eq "BYOD")(device.deviceCategory -eq "BYOD")
deviceManufacturerdeviceManufacturer 任意字符串值any string value (device.deviceManufacturer -eq "Samsung")(device.deviceManufacturer -eq "Samsung")
deviceModeldeviceModel 任意字符串值any string value (device.deviceModel -eq "iPad Air")(device.deviceModel -eq "iPad Air")
deviceOwnershipdeviceOwnership 个人、公司、未知Personal, Company, Unknown (device.deviceOwnership -eq "Company")(device.deviceOwnership -eq "Company")
enrollmentProfileNameenrollmentProfileName Apple 设备注册配置文件名称、Android Enterprise 公司所有专用设备注册配置文件名称或 Windows Autopilot 配置文件名称Apple Device Enrollment Profile name, Android Enterprise Corporate-owned dedicated device Enrollment Profile name, or Windows Autopilot profile name (device.enrollmentProfileName -eq "DEP iPhones")(device.enrollmentProfileName -eq "DEP iPhones")
isRootedisRooted true falsetrue false (device.isRooted -eq true)(device.isRooted -eq true)
managementTypemanagementType MDM(适用于移动设备)MDM (for mobile devices)
电脑(适用于由 Intune 电脑代理管理的计算机)PC (for computers managed by the Intune PC agent)
(device.managementType -eq "MDM")(device.managementType -eq "MDM")
deviceIddeviceId 有效的 Azure AD 设备 IDa valid Azure AD device ID (device.deviceId -eq "d4fe7726-5966-431c-b3b8-cddc8fdb717d")(device.deviceId -eq "d4fe7726-5966-431c-b3b8-cddc8fdb717d")
objectIdobjectId 有效的 Azure AD 对象 IDa valid Azure AD object ID (device.objectId -eq "76ad43c9-32c5-45e8-a272-7b58b58f596d")(device.objectId -eq "76ad43c9-32c5-45e8-a272-7b58b58f596d")
devicePhysicalIdsdevicePhysicalIds Autopilot 使用的任何字符串值,如所有 Autopilot 设备、OrderID 或 PurchaseOrderIDany string value used by Autopilot, such as all Autopilot devices, OrderID, or PurchaseOrderID (device.devicePhysicalIDs -any _ -contains "[ZTDId]") (device.devicePhysicalIds -any _ -eq "[OrderID]:179887111881") (device.devicePhysicalIds -any _ -eq "[PurchaseOrderId]:76222342342")(device.devicePhysicalIDs -any _ -contains "[ZTDId]") (device.devicePhysicalIds -any _ -eq "[OrderID]:179887111881") (device.devicePhysicalIds -any _ -eq "[PurchaseOrderId]:76222342342")
systemLabelssystemLabels 任何与 Intune 设备属性匹配的字符串,用于标记现代工作区设备any string matching the Intune device property for tagging Modern Workplace devices (device.systemLabels - 包含“M365Managed”)(device.systemLabels -contains "M365Managed")


对于 deviceOwnership,在创建设备的动态组时,需要将该值设置为“Company”。For the deviceOwnership when creating Dynamic Groups for devices you need to set the value equal to "Company". 而在 Intune 上,设备所有权表示为 Corporate。On Intune the device ownership is represented instead as Corporate. 请参阅 OwnerTypes,了解更多详细信息。Refer to OwnerTypes for more details.

后续步骤Next steps

以下文章提供了有关 Azure Active Directory 中的组的更多信息。These articles provide additional information on groups in Azure Active Directory.